Last updated: 01 Ianuarie 2023
This Data Processing Agreement ("DPA") is entered into between SMILESIM S.R.L., („SmileSIM”) and the entity or organization that you represent ("Client") .
This DPA reffers to the data processing of Personal Information of natural persons located in the European Economic Area, by the Data Processor on behalf of the Data Controller.
By continuing to access or use the Service, Client acknowledges that has read, understood, and agreed to be bound by the terms and conditions of this DPA.
1.1. "Data Controller" refers to the entity that determines the purposes and means of the processing of personal data. For the purposes specified in this DPA, the Data Controller is entity or organization that you represent ("Client").
1.2. "Data Processor" refers to the entity that processes personal data on behalf of the Data Controller. For the purposes specified in this DPA, SMILESIM S.R.L., when processing personal data on behalf of the Client, is the Data Processor.
1.3. "Personal Data" refers to any information relating to an identified or identifiable natural person that is processed by the Data Processor on behalf of the Data Controller.
1.4. "Processing" refers to any operation or set of operations performed on personal data, such as collection, recording, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, or destruction.
2.1. The purpose of this DPA is to outline the terms and conditions governing the processing of personal data by the Data Processor on behalf of the Data Controller in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR).
2.2. This DPA is applicable to all personal data processed by the Data Processor on behalf of the Data Controller within the context of the services provided under the main agreement.
3.1. The Data Controller shall:
a) Provide clear instructions regarding the processing of personal data to the Data Processor, consistent with applicable data protection laws.
b) Ensure that the processing of personal data is lawful and complies with all relevant data protection laws.
c) Be responsible for obtaining any necessary consents or authorizations from data subjects, where applicable.
d) Have the authority to monitor and audit the data processing activities performed by the Data Processor.
3.2. The Data Processor shall:
a) Process personal data only on documented instructions from the Data Controller, unless required by law to do otherwise.
b) Implement appropriate technical and organizational measures to ensure the security, integrity, and confidentiality of personal data.
c) Assist the Data Controller in fulfilling its data protection obligations, to the extent reasonably necessary.
d) Only engage sub-processors with the prior written consent of the Data Controller and ensure that such sub-processors are bound by contractual obligations equivalent to those set out in this DPA.
e) Notify the Data Controller promptly if it becomes aware of any unauthorized or unlawful processing, security breaches, or other incidents related to personal data.
4.1. The Data Processor shall implement appropriate technical and organizational measures to ensure the security of personal data, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of data subjects.
4.2. The Data Processor shall maintain a record of all security measures implemented, which shall be made available to the Data Controller upon request.
5.1. The Data Processor may engage sub-processors to carry out specific processing activities on behalf of the Data Controller. The Data Processor shall ensure that any sub-processors it engages comply with the same data protection obligations as set out in this DPA.
5.2. The Data Processor shall maintain an up-to-date list of sub-processors and provide the Data Controller with reasonable prior notice of any intended changes to the list. The Data Controller shall have the right to object to the engagement of a new sub-processor on reasonable grounds.
5.3. If the Data Processor engages a sub-processor, it shall have a written agreement in place with the sub-processor that imposes the same data protection obligations as set out in this DPA.
6.1. Personal data may be transferred to countries outside the European Economic Area (EEA) or the European Union (EU) by the Data Processor only if appropriate safeguards are in place in accordance with applicable data protection laws, such as the use of standard contractual clauses or the existence of an adequacy decision by the European Commission.
7.1. The Data Processor shall assist the Data Controller in responding to requests from data subjects exercising their rights under applicable data protection laws, such as the rights of access, rectification, erasure, restriction of processing, data portability, and objection.
7.2. The Data Processor shall promptly notify the Data Controller if it receives a request directly from a data subject regarding their personal data processed under this DPA.
8.1. In the event of a personal data breach, the Data Processor shall notify the Data Controller without undue delay after becoming aware of the breach. The notification shall provide details of the breach, including its nature, scope, and any recommended measures to mitigate the risks and protect the rights and freedoms of data subjects.
9.1. This DPA shall remain in effect for the duration of the data processing activities or until terminated in accordance with the main agreement or applicable data protection laws.
9.2. Upon termination, the Data Processor shall, at the choice of the Data Controller, delete or return all personal data processed under this DPA and delete any existing copies, unless otherwise required by law.